#include <tunables/global>

{{ xqwatcher_app_dir }}/venvs/{{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.name }}/bin/python {
    #include <abstractions/base>

    {{ xqwatcher_app_dir }}/venvs/{{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.name }}/** mr,
    #todo need a way of providing.
    # edxapp_code_dir /common/lib/sandbox-packages/** r,
    /tmp/codejail-*/ rix,
    /tmp/codejail-*/** wrix,

    #
    # Whitelist particiclar shared objects from the system
    # python installation
    #
    /usr/lib/python2.7/lib-dynload/_json.so mr,
    /usr/lib/python2.7/lib-dynload/_ctypes.so mr,
    /usr/lib/python2.7/lib-dynload/_heapq.so mr,
    /usr/lib/python2.7/lib-dynload/_io.so mr,
    /usr/lib/python2.7/lib-dynload/_csv.so mr,
    /usr/lib/python2.7/lib-dynload/datetime.so mr,
    /usr/lib/python2.7/lib-dynload/_elementtree.so mr,
    /usr/lib/python2.7/lib-dynload/pyexpat.so mr,
    /usr/lib/python2.7/lib-dynload/future_builtins.so mr,
    #
    # Allow access to selections from /proc
    #
    /proc/*/mounts r,

}
